You've already forked isolationRunner
tomFlowee
c0f579ff6d
This allows a jail to have a VPN config associated and as a result we start a new net namespace, completely isolating the jails networking. We then start an openVPN client to route between the main network and the jails' network. The main limitation here is that we don't setup DNS, which basically means that the VPN will route DNS calls to the other side, but since we don't remount resolv.conf this depends on the vpn provider actually mapping the nameserver we use. For people that use a nameserver like 192.168.100.1, this most of the time works just fine. Improvement is possible.
55 lines
1.3 KiB
C++
55 lines
1.3 KiB
C++
#ifndef RUNNER_H
|
|
#define RUNNER_H
|
|
|
|
#include "Message.h"
|
|
|
|
#include <deque>
|
|
#include <filesystem>
|
|
|
|
void renameThisProcess(char *nameBlob, int blobSize, const char *newName);
|
|
|
|
class Runner
|
|
{
|
|
public:
|
|
Runner(const Message &message, int errorFile);
|
|
|
|
/**
|
|
* The user Id that owns the security manager.
|
|
*/
|
|
void setOwnerUserId(uint32_t uid);
|
|
void setProcessName(char *name, int allocatedSize);
|
|
|
|
void addPipe(int fd) {
|
|
m_pipes.push_back(fd);
|
|
}
|
|
|
|
void run();
|
|
|
|
private:
|
|
void sendUpstream(const char *errorMessage);
|
|
bool runCopy(const std::string &from, const std::filesystem::path &to) const;
|
|
bool copySingle(const std::filesystem::path &from, const std::filesystem::path &to) const;
|
|
// copy env, but filter by the details from m_message
|
|
void copyFilteredEnv(char **from, char **target);
|
|
void mkdirs(const std::filesystem::path &dir) const;
|
|
int runInitScript();
|
|
|
|
int runEncFs(const char *password, int strlen) const;
|
|
|
|
const int m_outputFD;
|
|
uint32_t m_ownerUid = 0;
|
|
uint32_t m_jailId = 0;
|
|
Message m_message;
|
|
|
|
// vpn stuff
|
|
std::string m_vpnBasePath;
|
|
bool m_vpnHasPwdFile = false;
|
|
std::string m_netNsName;
|
|
|
|
char *m_processName = nullptr;
|
|
int m_processNameSize = 0; // the amount of bytes allocated to it.
|
|
std::deque<int> m_pipes;
|
|
};
|
|
|
|
#endif
|